题目:
0000h: 69 35 41 01 1C 9E 75 78 5D 48 FB F0 84 CD 66 79 i5A..žux]Hûð„Ífy
0010h: 55 30 49 4C 56 D2 73 70 12 45 A8 BA 85 C0 3E 53 U0ILVÒsp.E¨º…À>S
0020h: 73 1B 78 2A 4B E9 77 26 5E 73 BF AA 85 9C 15 6F s.x*Kéw&^s¿ª…œ.o
0030h: 54 2C 73 1B 58 8A 66 48 5B 19 84 B0 80 CA 33 73 T,s.XŠfH[.„°€Ê3s
0040h: 5C 52 0C 4C 10 9E 32 37 12 0C FB BA CB 8F 6A 53 \R.L.ž27..ûºË
0050h: 01 78 0C 4C 10 9E 32 37 12 0C FB BA CB 8F 6A 53 .x.L.ž27..ûºË 0060h: 01 78 0C 4C 10 9E 32 37 12 0C FB BA CB 8F 6A 53 .x.L.ž27..ûºË
0070h: 01 78 0C 4C 10 9E 32 37 12 0C 89 D5 A2 FC .x.L.ž27..‰Õ¢ü
描述 key不存在
Solve:
在题目中看到了两行重复的十六进制,猜测是不是key.而本题题目是xor,那就拿这些十六进制和整个文本对应去异或试试
str1 =[0x01,0x78,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0xFB,0xBA,0xCB,0x8F,0x6A,0x53]
result=[]
txt =[0x69,0x35,0x41,0x01,0x1C,0x9E,0x75,0x78,0x5D,0x48,0xFB,0xF0,0x84,0xCD,0x66,0x79,0x55,0x30,0x49,0x4C,0x56,0xD2,0x73,0x70,0x12,0x45,0xA8,0xBA,0x85,0xC0,0x3E,0x53,0x73,0x1B,0x78,0x2A,0x4B,0xE9,0x77,0x26,0x5E,0x73,0xBF,0xAA,0x85,0x9C,0x15,0x6F,0x54,0x2C,0x73,0x1B,0x58,0x8A,0x66,0x48,0x5B,0x19,0x84,0xB0,0x80,0xCA,0x33,0x73,0x5C,0x52,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0xFB,0xBA,0xCB,0x8F,0x6A,0x53,0x01,0x78,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0xFB,0xBA,0xCB,0x8F,0x6A,0x53,0x01,0x78,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0xFB,0xBA,0xCB,0x8F,0x6A,0x53,0x01,0x78,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0x89,0xD5,0xA2,0xFC]
for i in range(len(txt)):
tmp = 0
tmp = str1[i%len(str1)]^txt[i]
result.append(tmp)
print((hex(tmp)[2:]).zfill(2),end="")
0000h: 68 4D 4D 4D 0C 00 47 4F 4F 44 00 4A 4F 42 0C 2A hMMM..GOOD.JOB.*
0010h: 54 48 45 00 46 4C 41 47 00 49 53 00 4E 4F 54 00 THE.FLAG.IS.NOT.
0020h: 72 63 74 66 5B 77 45 11 4C 7F 44 10 4E 13 7F 3C rctf[wE.LD.N.<
0030h: 55 54 7F 57 48 14 54 7F 49 15 7F 0A 4B 45 59 20 UTWH.TI..KEY
0040h: 5D 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]*..............
0050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070h: 00 00 00 00 00 00 00 00 00 00 72 6F 69 73 ..........rois
发现中间有很多00隔开了数据,然后猜想,会不会是空格,空格为0x20,则再把数据全部异或0x20
result2=[]
for j in range(len(result)):
tmp = 0
tmp = int(result[j],16)^0x20
result2.append((hex(tmp)[2:]).zfill(2))
print((hex(tmp)[2:]).zfill(2),end="")
0000h: 48 6D 6D 6D 2C 20 67 6F 6F 64 20 6A 6F 62 2C 0A Hmmm, good job,.
0010h: 74 68 65 20 66 6C 61 67 20 69 73 20 6E 6F 74 20 the flag is not
0020h: 52 43 54 46 7B 57 65 31 6C 5F 64 30 6E 33 5F 1C RCTF{We1l_d0n3_.
0030h: 75 74 5F 77 68 34 74 5F 69 35 5F 2A 6B 65 79 00 ut_wh4t_i5_*key.
0040h: 7D 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20 }.
0050h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0060h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0070h: 20 20 20 20 20 20 20 20 20 20 52 4F 49 53 ROIS
其中遇到了一个问题需要注意一下:
当数据为0x0C的时候,python输出会变成0xC,就会丢失掉一个0,导致我一开始的数据少了,后面用zfill来补上0
发现字符ut前是一个不可显示的字符,然后*key后是一个空格
网上的师傅们考虑到*key后可能跟着也是一个*,则将这两位都^*(0x2A)
得到了这样
0000h: 48 6D 6D 6D 2C 20 67 6F 6F 64 20 6A 6F 62 2C 0A Hmmm, good job,.
0010h: 74 68 65 20 66 6C 61 67 20 69 73 20 6E 6F 74 20 the flag is not
0020h: 52 43 54 46 7B 57 65 31 6C 5F 64 30 6E 33 5F 36 RCTF{We1l_d0n3_6
0030h: 75 74 5F 77 68 34 74 5F 69 35 5F 2A 6B 65 79 2A ut_wh4t_i5_*key*
0040h: 7D 0A 20 }.
RCTF{We1l_d0n3_6ut_wh4t_i5_*key*}
然后我就天真的以为这就是flag了
交了半天没交上,再回来看
题目中的描述说了key 不存在,然后题目中有md5的字眼
我们去找一下之前异或的key能不能被查到
01780C4C109E3237120CFBBACB8F6A53
这个没有被查到
然后就想不到怎么做了。
网上的wp都说对他进行md5解密,去异或了一下32
a = ['01','78','0C','4C','10','9E','32','37','12','0C','FB','BA','CB','8F','6A','53']
final = []
for i in range(0,len(a)):
x = int(a[i],16)
final.append(hex(x^32)[2:])
print(hex(x^32)[2:].zfill(2),end="")
print(final)
21582c6c30be1217322cdb9aebaf4a73
将21582c6c30be1217322cdb9aebaf4a73
去查一下md5得到了that
将原来flag里面的key
换成that
就好了
RCTF{We1l_d0n3_6ut_wh4t_i5_that}
全部的脚本:
str1 =[0x01,0x78,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0xFB,0xBA,0xCB,0x8F,0x6A,0x53]
result=[]
txt =[0x69,0x35,0x41,0x01,0x1C,0x9E,0x75,0x78,0x5D,0x48,0xFB,0xF0,0x84,0xCD,0x66,0x79,0x55,0x30,0x49,0x4C,0x56,0xD2,0x73,0x70,0x12,0x45,0xA8,0xBA,0x85,0xC0,0x3E,0x53,0x73,0x1B,0x78,0x2A,0x4B,0xE9,0x77,0x26,0x5E,0x73,0xBF,0xAA,0x85,0x9C,0x15,0x6F,0x54,0x2C,0x73,0x1B,0x58,0x8A,0x66,0x48,0x5B,0x19,0x84,0xB0,0x80,0xCA,0x33,0x73,0x5C,0x52,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0xFB,0xBA,0xCB,0x8F,0x6A,0x53,0x01,0x78,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0xFB,0xBA,0xCB,0x8F,0x6A,0x53,0x01,0x78,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0xFB,0xBA,0xCB,0x8F,0x6A,0x53,0x01,0x78,0x0C,0x4C,0x10,0x9E,0x32,0x37,0x12,0x0C,0x89,0xD5,0xA2,0xFC]
for i in range(len(txt)):
tmp = 0
tmp = str1[i%len(str1)]^txt[i]
result.append((hex(tmp)[2:]).zfill(2))
print((hex(tmp)[2:]).zfill(2),end="")
print('\n')
result2=[]
for j in range(len(result)):
tmp = 0
tmp = int(result[j],16)^0x20
result2.append((hex(tmp)[2:]).zfill(2))
print((hex(tmp)[2:]).zfill(2),end="")
print('\n')
print(hex(0x1c^0x2a))
a = ['01','78','0C','4C','10','9E','32','37','12','0C','FB','BA','CB','8F','6A','53']
final = []
for i in range(0,len(a)):
x = int(a[i],16)
final.append(hex(x^32)[2:])
print(hex(x^32)[2:].zfill(2),end="")
print(final)
总结一下
异或文件找到可以读的出来的明文还是挺好玩的,但是这个思路说实话有点跳跃,然后不看wp估计要做很久很久很久吧
参考
https://blog.csdn.net/weixin_44604541/article/details/112403221